With today’s cyber-focused society, there are numerous security companies constantly on the lookout for new variants of malware and threats that haven’t been seen before. So when new malware is discovered that not only provides a wide array of capabilities but also remained under the radar for 5 years, it begs further investigation. Researchers at Kaspersky Lab recently uncovered such a malware, which they dubbed TajMahal.
TajMahal is a highly modular piece of malware that was discovered in late 2018 attacking a Central Asian diplomatic agency. It contains 80 different plugins for various capabilities, one of the highest amounts ever seen with an APT. The developers of TajMahal have also made it very stealthy, including using behavioral detection avoidance and creating a new codebase from the ground up rather than using existing code from other sources. The malware contains 2 main modules: Tokyo and Yokohama.
While the initial stage of infection is unclear, the first stage of TajMahal is the Tokyo package. This contains 3 modules that install backdoors on the system, run PowerShell scripts, and establish contact with command and control servers. This module then downloads the second package, Yokohama.
Yokohama is the main data exfiltration module that contains most of the plugins used for obtaining data. It includes “backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim's machine” according to the re Exodus searchers. It can even see files that were accessed on removed USB drives and then copy that specific file the next time the drive is plugged in. The stolen data is exfiltrated using an XML file named TajMahal, hence the name researchers gave the malware itself.
While TajMahal has only been seen attacking the one organization, researchers have found some aspects of the malware that lead them to believe there may be other versions out in the wild that haven’t been detected yet. Samples studied so far suggest that the group behind the malware has been active since the Fall of 2014, so it is doubtful this will be the last that is seen from them.